- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract the same field two different ways
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to end up with a filed called mapi_err that contains a MAPI error string. I am looking at the third line in a multi-line event which may look like:
Unpopulated address list - can't resolve names: MAPI_E_NOT_FOUND
or it may look like
Unable to create MAPI message in Outbox, HR=80040115
In the first case, the error string is in the event, MAPI_E_NOT_FOUND, so I can just extract any ": MAPI_*". In the second case, I need to extract the hex error code, 80040115, after "HR=" and then do a lookup in a CSV to get the MAPI error string. I can't figure out a way to accommodate both event formats in a search string. I've gotten the full line into mapi_err_full and then tried:
rex field=mapi_err_full ": (?<mapi_err>MAPI_.*)" | rex field=mapi_err_full "HR=(?<mapi_err_hex>[0-9]+)" | lookup MAPIErrorCodes "Hex" as mapi_err_hex OUTPUT "Code" as mapi_err
I really only want to do the lookup if mapi_err_hex is defined. Otherwise, when the lookup fails for events without a mapi_err_hex, it destroys the good value already in mapi_err. Do I have to resort to two separate extractions in props.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this works for you , extract the first case to "mapi_err_1" and the hex code lookup to "mapi_err_2" , then coalesce the results into the field "mapi_err"
... | eval mapi_err=coalesce(mapi_err_1, mapi_err_2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this works for you , extract the first case to "mapi_err_1" and the hex code lookup to "mapi_err_2" , then coalesce the results into the field "mapi_err"
... | eval mapi_err=coalesce(mapi_err_1, mapi_err_2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh, yes, exactly what I was looking for. I was thinking about an if() statement or field aliasing, some way to choose between two values or to combine them. I didn't know about coalesce. Works great, thanks!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
